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-Abstract- 

We present a new software tool for teaching logic based on natural deduction. Its proof system 
is formalized in the proof assistant Isabelle such that its dehnition is very precise. Soundness 
of the formalization has been proved in Isabelle. The tool is open source software developed 
in TypeScript / JavaScript and can thus be used directly in a browser without any further 
installation. Although developed for undergraduate computer science students who are used to 
study and program concrete computer code in a programming language we consider the approach 
relevant for a broader audience and for other proof systems as well. 
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[Y] Introduction 

In this paper we present the NaDeA software tool. First, we provide the motivation and a 
short description. We then present the natural deduction system as it is done in a popular 
textbook m and as is it done in NaDeA by looking at its formalization in Isabelle. This 
illustrates the differences between the two approaches. We also present the semantics of 
first-order logic as formalized in Isabelle, which was used to prove the proof system of NaDeA 
sound. Thereafter we explain how NaDeA is used to construct a natural deduction proof. 
Lastly, we compare NaDeA to other natural deduction assistants and consider how NaDeA 
could be improved. 


1.1 Motivation 


We have been teaching a bachelor logic course — with logic programming — for a decade 
using a textbook with emphasis on tableaux and resolution [T]. We have started to use the 
proof assistant Isabelle [2] and refutation proofs are less preferable here. The proof system 
of natural deduction [31 SI 0 US] with the introduction and elimination rules as well as a 
discharge mechanism seems more suitable. The natural deduction proof system is widely 
known, used and studied among logicians throughout the world. However, our experience 
shows that many of our undergraduate computer science students struggle to understand the 
most difficult aspects. 

This also goes for other proof systems. The formal language of logic can be hard to 
teach our students because they do not have a strong theoretical mathematical background. 
Instead, most of the students have a good understanding of concrete computer code in a 
programming language. The syntax used in Isabelle is in many ways similar to a programming 
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language, and therefore a clear and explicit formalization of first-order logic and a proof 
system may help the students in understanding important details. Formalizations of model 
theory and proof theory of first-order logic are rare, for example 013 HI]- 

1.2 The Tool 

We present the natural deduction assistant NaDeA with a formalization in the proof assistant 
Isabelle of its proof system. It can be used directly in a browser without any further 
installation and is available here: 

http://nadea.compute.dtu.dk/ 

NaDeA is open source software developed in TypeScript / JavaScript and stored on GitHub. 
The formalization of its proof system in Isabelle is available here: 

http://logic-tools.github.io/ 

Once NaDeA is loaded in the browser — about 250 KB with the j Query Core library — no 
internet connection is required. Therefore NaDeA can also be stored locally. 

We display the natural deduction proofs in two different formats. We present the proof 
in an explicit code format that is equivalent to the Isabelle syntax, but with a few syntactic 
differences to make it easier to understand for someone trying to learn Isabelle. In this 
format, we present the proof in a style very similar to that of Fitch’s diagram proofs. We 
avoid the seemingly popular Gentzen’s tree style to focus less on a visually pleasing graphical 
representation that is presumably much more challenging to implement. 

We find that the following requirements constitute the key ideals for any natural deduction 
assistant. It should be: 

- Easy to use. 

- Clear and explicit in every detail of the proof. 

- Based on a formalization that can be proved at least sound, but preferably also complete. 

Based on this, we saw an opportunity to develop NaDeA which offers help for new users, 
but also serves to present an approach that is relevant to the advanced users. 

In a paper considering the tools developed for teaching logic over the last decade m 
p. 137], the following is said about assistants (not proof assistants like Isabelle but tools for 
learning/teaching logic): 

Assistants are characterized by a higher degree of interactivity with the user. They 
provide menus and dialogues to the user for interaction purposes. This kind of tool 
gives the students the feeling that they are being helped in building the solution. They 
provide error messages and hints in the guidance to the construction of the answer. 
Many of them usually offer construction of solution in natural deduction proofs. [...] 
They are usually free licensed and of open access. 

We think that this characterization in many ways fits NaDeA. While NaDeA might not bring 
something new to the table in the form of delicate graphical features, we emphasize the fact 
that it has some rather unique features such as a formalization of its proof system in Isabelle. 

Natural Deduction in a Textbook 

We consider natural deduction as presented in a popular textbook on logic in computer 
science m- First, we take a look substitution, which is central to the treatment of quantifiers 
in natural deduction. 
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2.1 On Substitution 

The following definition for substitution is used in [TSl p. 105 top]: 

Given a variable x, a term t and a formula </> we define ipi^/x] to be the formula 
obtained by replacing each free occurrence of variable x in (j) with t. 

The usual side conditions that come with rules using this substitution seem to be omitted. 
In [151 p. 106 top], we are shortly after given the following definition of what it means that 
T must be free for x in 

Given a term t, a variable x and a formula (j), we say that t is free for x in ^ if no free 
X leaf in (j) occurs in the scope of Vy or 3y for any variable y occurring in t. 

The following quote nn p. 106 bottom] from the same book emphasizes how it seems 
more preferable, due to the high level of complexity, to avoid the details of these important 
side conditions: 

It might be helpful to compare T is free for x in (/>’ with a precondition of calling 
a procedure for substitution. If you are asked to compute 0[t/x] in your exercises 
or exams, then that is what you should do; but any reasonable implementation of 
substitution used in a theorem prover would have to check whether t is free for x in 4> 
and, if not, rename some variables with fresh ones to avoid the undesirable capture of 
variables. 

We find that this way of presenting natural deduction proof systems leaves out some 
important notions that the students ought to learn. In our formalization such notions and 
their complications become easier to explain because all side conditions of the rules are very 
explicitly stated. We see it as one of the major advantages of presenting this formalization 
to students. 

2.2 Natural Deduction Rules 

We now present the natural deduction rules as described in the literature, again using m- 
The first 9 are rules for classical propositional logic and the last 4 are for first-order logic. 
Intuitionistic logic can be obtained by omitting the rule PBC (proof by contradiction, called 
“Boole” later) and adding the T-elimination rule (also known as the rule of explosion) [TB] . 
The rules are as follows: 
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Side conditions to rules for quantifiers: 


Xo 

(p [xq/x] 

Wx(p 


V/ 


3E: xq cannot occur outside its box (and therefore not in x). 
3/: t must be free for x in ip. 

WE: t must be free for x in <p. 

V/: Xq is a new variable which does not occur outside its box. 
In addition there is a special copy rule HH p. 20]: 


A final rule is required in order to allow us to conclude a box with a formula which 
has already appeared earlier in the proof. [...] The rule ‘copy’ allows us to repeat 
something that we know already. We need to do this in this example, because the 
rule -A I requires that we end the inner box with p. The copy rule entitles us to 
copy formulas that appeared before, unless they depend on temporary assumptions 
whose box has already been closed. Though a little inelegant, this additional rule is a 
small price to pay for the freedom of being able to use premises, or any other ‘visible’ 
formulas, more than once. 


The copy rule is not needed in our formalization due to the way it manages assumptions. 

As it can be seen, there are no rules for truth, negation or biimplication, but the following 
equivalences can be used: 


T = T ^ T 
= A -)■ T 

Aaa B = {A^ B) A{B ^ A) 

The symbols A and B are arbitrary formulas. 

fT] Natural Deduction in NaDeA 

One of the unique features of NaDeA is that it comes with a formalization in Isabelle of its 
proof system. 
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3.1 Syntax for Terms and Formulas 

The terms and formulas of the first-order logic language are defined as the data types term and 
formula (later abbreviated tm and fm, respectively). The type identifier represents predicate 
and function symbols (later abbreviated id). 

identifier := string 

term := Var nat | Fun identifier [term, ..., term] 

formula := Falsity | Pre identifier [term, ..., term] | Imp formula formula | 

Dis formula formula | Con formula formula | Exi formula | Uni formula 

Truth, negation and biimplication are abbreviations. In the syntax of our formalization, we 
refer to variables by use of the de Bruijn indices. That is, instead of identifying a variable 
by use of a name, usually x, y, z etc., each variable has an index that determines its scope. 
The use of de Bruijn indices instead of named variables allows for a simple definition of 
substitution. Furthermore, it also serves the purpose of teaching the students about de 
Bruijn indices. Note that we are not advocating that de Bruijn indices replace the standard 
treatment of variables in general. It arguably makes complex formulas harder to read, but 
the pedagogical advance is that the notion of scope is exercised. 

3.2 Natural Deduction Rules 

Provability in NaDeA is defined inductively as follows: 


member p a 

—- Assume 

OK p a 

OK (Imp p q) a OK p a 


OK Falsity ((Imp p Falsity) # a ) 
OK p a 

OK q (p # a) 


Boole 


lmp_E 


OK q a ^ OK (Imp p q) a 

OK (Dis p q) a OK r (p # a) OK r (q # a) 


lmp_ 


OK r a 


OK p a 


OK (Dis p q) a 


Dis II 


OK q a 


OK (Dis p q) a 


Dis E 


Dis 12 


OK (Con p q) a 
OK p a 


Con El 


OK (Con p q) a 
OK q a 


Con E2 


OK p a OK q a 
OK (Con p q) a 


OK (Exi p) a 


OK q ((sub 0 (Fun c [[) p) # a) news c (p#q#a) 
OK q a 


Exi E 


OK (sub 0 t p) a 

_ Pyj I 

OK (Exi p) a 


OK (Uni p) 
OK (sub 0 t p) a 


OK (sub 0 (Fun c [[) p) a news c (p # a)) 
OK (Uni p) a 


UniJ 
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OK p a means that the formula p follows from the list of assumptions a and member p a 
means that p is a member of a. The operator ^ is between the head and the tail of a list, 
news c I checks if the identifier c does not occur in the any of the formulas in the list I and 
sub n t p returns the formula p where the term t has been substituted for the variable with 
the de Bruijn index n. Instead of writing OK p a we could also use the syntax a h p, even 
in Isabelle, but we prefer a more programming-like approach. In the types we use for 
function spaces. The definitions of member, news and sub are as follow: 

member :: fm => fm list => bool 
member p [] = False 

member p (q # a) = (if p = q then True else member p a) 
new_term :: id => tm => bool 
new_term c (Var v) = True 

new_term c (Fun I I) = (if I = c then False else new_list c I) 
new_list :: id => tm list => bool 
new_list c [] = True 

new_list c (t I) = (if new_term c t then new_list c I else False) 

new :: id => fm => bool 

new c Falsity = True 

new c (Pre I I) = new_list c I 

new c (Imp p q) = (if new c p then new c q else False) 

new c (Dis p q) = (if new c p then new c q else False) 

new c (Con p q) = (if new c p then new c q else False) 

new c (Exi p) = new c p 

new c (Uni p) = new c p 

news :: id => fm list => bool 

news c [ ] = True 

news c (p # a) = (if new c p then news c a else False) 

inc_term :: tm => tm 
inc_term (Var v) = Var (v + 1) 
inc_term (Fun I I) = Fun I (inc_list I) 
inc_list :: tm list => tm list 
inc_list [] = [] 

inc_list (t # I) = inc_term t # inc_list I 
sub_term :: nat => tm => tm => tm 

sub_term n s (Var v) = (if v = n then s else if v > n then Var (v - 1) else Var v) 
sub_term n s (Fun I I) = Fun I (sub_list n s I) 
sub_list :: nat => tm => tm list => tm list 
sub_list n s [] = [] 

sub_list n s (t # I) = sub_term n s t ^ sub_list n s I 

sub :: nat => tm => fm => fm 

sub n s Falsity = Falsity 

sub n s (Pre I I) = Pre I (sub_list n s I) 

sub n s (Imp p q) = Imp (sub n s p) (sub n s q) 

sub n s (Dis p q) = Dis (sub n s p) (sub n s q) 

sub n s (Con p q) = Con (sub n s p) (sub n s q) 

sub n s (Exi p) = Exi (sub (n + 1) (inc_term s) p) 

sub n s (Uni p) = Uni (sub (n + 1) (inc_term s) p) 
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3.3 Semantics for Terms and Formulas 


To give meaning to formulas and to prove NaDeA sound we need a semantics of the first-order 
logic language. This semantics is defined in the formalization in Isabelle, and it is thus not 
part of the tool itself. We present the semantics below, e is the environment, i.e. a mapping 
of variables to elements, f maps function symbols to the maps they represent. These maps 
are from lists of elements of the universe to elements of the universe. Likewise, g maps 
predicate symbols to the maps they represent, 'u is a type variable that represents the 
universe. In can be instantiated with any type. For instance, it can be instantiated with the 
natural numbers, the real number or strings. 


semantics_term :: (nat => 'u) => (id => 'u list => 'u) => tm => 'u 
semantics_term e f (Var v) = e v 

semantics_term e f (Fun i I) = f i (semantics_list e f I) 

semantics_list :: (nat 'u) => (id => 'u list => 'u) => tm list => 'u list 
semantics_list e f [] = [] 

semantics_list e f (t I) = semantics_term e f t semantics_list e f I 

semantics :: (nat => 'u) => (id => 'u list => 'u) (id 'u list => bool) => fm => bool 

semantics e f g Falsity = False 

semantics e f g (Pre I I) = g I (semantics_list e f I) 

semantics e f g (Imp p q) = (if semantics e f g p then semantics e f g q else True) 
semantics e f g (Dis p q) = (if semantics e f g p then True else semantics e f g q) 

semantics e f g (Con p q) = (if semantics e f g p then semantics e f g q else False) 

semantics e f g (Exi p) = (? x. semantics (% n. if n = 0 then x else e (n - 1)) f g p) 

semantics e f g (Uni p) = (! x. semantics (% n. if n = 0 then x else e (n - 1)) f g p) 

Most of the cases of semantics should be self-explanatory, but the Uni case is complicated. 
The details are not important here, but in the case for Uni it uses the universal quantifier (!) 
of Isabelle’s higher-order logic to consider all values of the universe. It also uses the lambda 
abstraction operator (%) to keep track of the indices of the variables. Likewise, the case for 
Exi uses the existential quantifier (?) of Isabelle’s higher-order logic. 

We have proved soundness of the formalization in Isabelle (shown here as a derived rule): 


OKp[] 

semantics e f g p 


Soundness 


This result makes NaDeA interesting to a broader audience since it gives confidence in the 
formulas proved using the tool. 


Construction of a Proof 

We now describe the core features of NaDeA from the perspective of the user. That is, we 
uncover how to use NaDeA to conduct and edit a proof as well as how proofs are presented. 

In order to start a proof, you have to start by specifying the goal formula, that is, the 
formula you wish to prove. To do so, you must enable editing mode by clicking the Edit 
button in the top menu bar. This will show the underlying proof code and you can build 
formulas by clicking the red n symbol. Alternatively, you can load a number of tests by 
clicking the Load button. 

At all times, once you have fully specified the conclusion of any given rule, you can 
continue the proof by selecting the next rule to apply. Again you can do this by clicking the 
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the red n symbol. Furthermore, NaDeA allows for undoing and redoing editing steps with 
no limits. 

All proofs are conducted in backward-chaining mode. That is, you must start by specifying 
the formula that you wish to prove. You then apply the rules inductively until you reach a 
proof — if you can find one. The proof is finished by automatic application of the Assume 
rule once the conclusion of a rule is found in the list of assumptions. 

To start over on a new proof, you can load the blank proof by using the Load button, or 
you can refresh the page. Please note that any unsaved work will then be gone. 

In NaDeA we present any given natural deduction proof (or an attempt at one) in two 
different types of syntax. One syntax follows the rules as defined in section [3^ and is closely 
related to the formalization in Isabelle, but with a redefined and more simple syntax in 
terms of learning. The proof is not built as most often seen in the literature about natural 
deduction. Usually, for each rule the premises are placed above its conclusion separated by a 
line. We instead follow the procedure of placing each premise of the rule on separate lines 
below its conclusion with an additional level of indentation. 


Natural Deduction Assistant 


1 

lmp_l 

[] Pa(P^Q)^Q 


(1) 


2 

lmp_E 

[Pa(P^Q)] Q 

p A (p —>■ 

q) 

p A {p ^ q) 

3 

Con_E2 

[Pa(P^Q)] P^Q 

q 


p 

4 

Assume 

[Pa(P^Q)] Pa(P^Q) 


q 

— (1) 

5 

Con_E1 

[Pa(P^Q)] P 

p A 

[p^ q) ^ q 

6 

Assume 

[Pa(P^Q)] Pa(P^Q) 





( 1 ) 


The above proof also can be written in terms of the OK syntax as follows: 


1 OK (Imp (Con (Pre "P" []) (Imp (Pre "P" []) (Pre "Q" []))) (Pre "Q" [])) [] 

2 OK (Pre "Q" []) [(Con (Pre "P" []) (Imp (Pre "P" []) (Pre "Q" [])))] 

3 OK (Imp (Pre "P" []) (Pre "Q" [])) 

[(Con (Pre "P" []) (Imp (Pre "P" []) (Pre "Q" [])))] 

4 OK (Con (Pre "P" []) (Imp (Pre "P" []) (Pre "Q" []))) 

[(Con (Pre "P" []) (Imp (Pre "P" []) (Pre "Q" [])))] 

5 OK (Pre "P" []) [Con (Pre "P" []) (Imp (Pre "P" []) (Pre "Q" [])))] 

6 OK (Con (Pre "P" []) (Imp (Pre "P" []) (Pre "Q" []))) 

[(Con (Pre "P" []) (Imp (Pre "P" []) (Pre "Q" [])))] 


lmp_l 

lmp_E 

Con_E2 

Assume 

Con_El 

Assume 


Related Work 


Throughout the development of NaDeA we have considered some of the natural deduction 
assistants currently available. Several of the tools available share some common flaws. They 
can be hard to get started with, or depend on a specific platform. However, there are also 
many tools that each bring something useful and unique to the table. One of the most 
prominent is Panda, described in m - Panda includes a lot of graphical features that make 
it fast for the experienced user to conduct proofs, and it helps the beginners to tread safely. 
Another characteristic of Panda is the possibility to edit proofs partially before combining 
them into a whole. It definitely serves well to reduce the confusion and complexity involved 
in conducting large proofs. However, we still believe that the way of presenting the proof 
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can be more explicit. In NaDeA, every detail is clearly stated as part of the proof code. In 
that sense, the students should become more aware of the side conditions to rules and how 
they work. 

Another tool that deserves mention is ProofWeb m which is open source software for 
teaching natural deduction. It provides interaction between some proof assistants (Coq, 
Isabelle, Lego) and a web interface. The tool is highly advanced in its features and uses its 
own syntax. Also, it gives the user the possibility to display the proof in different formats. 
However, the advanced features come at the cost of being very complex for undergraduate 
students and require that you learn a new syntax. It serves as a great tool for anyone 
familiar with natural deduction that wants to conduct complex proofs that can be verified 
by the system. It may, on the other hand, prove less useful for teaching natural deduction to 
beginners since there is no easy way to get started. In NaDeA, you are free to apply any 
(applicable) rule to a given formula, and thus, beginners have the freedom to play around 
with the proof system in a safe way. Furthermore, the formalized soundness result for the 
proof system of NaDeA makes it relevant for a broader audience, since this gives confidence 
in that the formulas proved with the tool are actually valid. 


6 


Further Work 


In NaDeA there is support for proofs in propositional logic as well as first-order logic. We 
would also like to extend to more complex logic languages, the most natural step being 
higher-order logic. This could be achieved using the CakeML approach [H]. Other branches of 
logic would also be interesting, and the possibilities are numerous. Apart from just extending 
the natural deduction proof system to support other types of logic, another option is to 
implement other proof systems as well. 

Because the NaDeA tool has a formalization in Isabelle of its proof system, we would like 
to provide features that allow for a direct integration with Isabelle. For instance, we would 
like to allow for proofs to be exported to an Isabelle format that could verify the correctness 
of the proofs. A formal verification of the implementation would require much effort, but 
perhaps it could be reimplemented on top of Isabelle (although probably not in TypeScript / 
JavaScript). 

We would like to extend NaDeA with more features in order to help the user in conducting 
proofs and in understanding logic. For example, the tool could be extended with step-by-step 
execution of the auxiliary primitive recursive functions used in the side conditions of the 
natural deduction rules. 

So far only a small group of computer science students have tested NaDeA, but it will be 
classroom tested with around 60 bachelor students in the next semester. Currently the tool 
has no support for student assignments and automatic feedback and/or grading. The tool 
could be extended such that the students are evaluated and perhaps given a score based on 
the proofs they conduct. It is not obvious how this could best be implemented. We hope 
to find the resources for the development of such features but already now we think that 
the tool has the potential to be one of the main ways to teach logic in mathematics and 
computer science. 
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